Presentation on theme: "LESSONS LEARNED ON THE WAY TO PCI COMPLIANCE"— Presentation transcript:
1 LESSONS LEARNED ON THE WAY TO PCI COMPLIANCE The University of Western Ontario & McMaster University’s ExperiencesJune 7th, 2011(Sharon)
2 What is PCI and Why is it Important? Lessons Learned What Lies Ahead? AgendaIntroductionsWhat is PCI and Why is it Important?Lessons LearnedWhat Lies Ahead?Sharon
3 IntroductionsSharon Farnell, Director, Internal Audit – The University of Western OntarioStacey Farkas – Supervisor, Financial Reporting – McMaster UniversityTim Russell – Project Manager, University Technology Services – McMaster UniversityIndividuals
4 Introductions Western McMaster 2010 - $27million in credit card sales 60 merchantsMcMaster$24million in credit card sales$25million in credit card sales- $ 16 million in INTERAC ONLINE transactions58 merchants(Sharon)To mention?Western UniversityLocated in London, Ontario – pop.etc…….McMaster UniversityLocated in Hamilton, Ontario – pop. 500,00020,400 full-time undergraduate students3,025 full-time graduate studentsMore than 1,200 full time faculty members and 6,500 staff$785 m consolidated budget
5 What is PCI? PCI-DSS: Payment Card Industry – Data Security Standards Standards developed by the credit card companies (Visa, M/C) to protect cardholdersPCI Data security requirements apply to all members, merchants, and service providers that store, process or transmit cardholder dataEVERY merchant is required to be in compliance with these standards(Sharon)To give some context for those who may not be as familiar with PCI or have had much dealings with it – I’ll quickly give us a quick and very high level summary and then why it’s important.PCI – DSS – stands for: Payment card Industry Data Security Standards – we’ll tend to shorten it and just call it PCI – but we are referring to the standardsPayment Card Industry – is the major credit card companies – i.e. Visa, Mastercard, Amex – The standards were developed by them and were developed to protect cardholdersIt’s important to note that these Standards don’t just cover the ‘technical’ workings behind the scenes of accepting credit cards but are all encompassing, covering policies, business processes, systems, and securityAND the requirements apply to all members (the credit card companies themselves), merchants (would be us- anyone accepting) and services providers (i.e. Moneris, Global Payments, the banks)Anyone who processes, stores, or transmits cardholder dataAll encompassing – could involve other 3rd party applications that help come in contact with credit card informationWhen we talk about being compliant throughout the presentation – the expectation is that every merchant (if you have a merchant number and are accepting credit cards) IS COMPLIANT
6 What is PCI?There are 12 requirements, grouped into six categories for PCI Compliance:Build and Maintain a Secure Network (req. 1 & 2)Protect Cardholder Data (req. 3 & 4)Maintain a Vulnerability Program (req. 5 & 6)Implement Strong Access Control Measures (req. 7,8 & 9)Regularly Monitor and Test Networks (req. 10 & 11)Maintain a Policy that addresses Information Security (req. 12)(Tim)PCI DSS – the standards themselves, have 6 BROAD CATEGORIES,Which include 12 specific requirementsAnd within those requirements there are approximately 250 items that you have to meet– every merchant has to work through some or all of these items depending on the type and LEVEL of merchant you are (we’ll talk about that in a minute)These requirements are very broad in spectrum and cover off items from the actual physical security of a piece of paper with a credit card number on it….to very technical requirements such as intrusion protection and anti-virus programs________________________________________________________________________________Build and Maintain a Secure Network1. Install and maintain a firewall configuration to protect data2. Do not use vendor-supplied defaults for system passwords and other security parametersProtect Cardholder Data3. Protect stored cardholder data – i.e. from the ecommerce transmission of data to receiving a number via fax and where it’s stored4. Encrypt transmission of cardholder data across open, public networksMaintain a Vulnerability Program (relates more to ecommerce – i.e. intrusion protection and detection)5. Use and regularly update anti-virus software or programs6. Develop and maintain secure systems and applicationsImplement Strong Access Control Measures7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder dataRegularly Monitor and Test Networks10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processesMaintain a Policy that addresses Information Security12. Maintain a policy that addresses information security for employees and contractors. – not just writing it and having it but making sure people are actually following it – one of our biggest challenges
7 Merchant Levels Merchant Level 1 2 Processing Volumes per year > 6,000,000 Visa transactions1,000,000 to 6,000,000 Visa transactionsValidation ActionsAnnual on-site PCI-DSS AssessmentQuarterly Network ScanAnnual PCI-DSS Self Assessment Questionnaire (SAQ)Validation ByQualified Security Assessor or Internal Audit if signed by Officer of the companyApproved Scanning VendorMerchant(Tim)The validation requirements vary depending on Merchant LevelThe next TWO charts show us the different MERCHANT LEVELS that all merchants are categorized under as defined by VISAAND why the LEVEL of merchant that you fall under is important as it determines the validation requirements that you must perform to prove your PCI DSS ComplianceUniversities are typically Level 4 MerchantsMcMaster has approximately 65 merchant accounts –- but all merchants are pooled together and McMaster looked at as one big merchant for purposes of these LEVEL definitionswe are a Level 4 currently but quickly approaching Level 3 based on our volumesREGARDLESS of the level that you are defined as – you are required to be compliant at all times – the level simply determines the audit requirements that are set out by Visa and Mastercard - which are outlined on the NEXT SLIDE…………..This is something that we emphasize in all our presentations and training that we do – it’s not a one time activity – we are always required to be compliant at all times, it’s an ongoing process!
8 Merchant Levels Merchant Level 3 4 Processing Volumes per year 20,000 to 1,000,000 Visa e-commerce transactions20,000 Visa e-commerce transactions and all other merchants, up to 1,000,000 transactionsValidation ActionsAnnual PCI-DSS Self Assessment Questionnaire (SAQ)Quarterly Network ScanValidation ByMerchantApproved Scanning Vendor(Tim)Continuation of previous slide
9 Merchant TypesPCI Security Council Separated out Merchant Types and introduced a SAQ for each type in 2008(Tim)Picture we developed and used in our training to help understand the different types of merchants and the level of SAQ QUESTIONNAIRRE that applies to themA – is for virtual terminal transactions – explain….i.e. our music department holding a concert and wanting to accept credit card paymentsORFor ecommerce sites that once the end consumer goes to purchase they are redirected to the Moneris (hosted pay page) to complete the transaction – the payment processing itself (the credit card information) stays with Moneris, on their site, in their secure environmentType A merchants are only required to answer questions and attest for 2 requirements out of the possible 12B – for typical POS merchants – retail type environment – i.e. Parking office - have to answer 4 /12 requirementsC – typical retail type POS merchant that also has some additional software/integrated – behind the scenes –i.e. bookstoreD – in house or 3rd party systems where the credit card information is being processed – most complicated – have to answer all 12 requirements (240 points)i.e. Athletics and Rec – integrated Registration system or Hospitality Meal Card system – with GMC meal card integrated systemThe newest version of the Standard (version 2.0) has changed some of the merchant types, introducing a Type C- Virtual Terminal merchant so some re-alingment may be required for merchants.
10 Why is PCI Compliance Important? FINANCIAL RISKfines from payment processor and/or credit card companiescosts to notify cardholdersrepayment of fraudulent charges incurred by end consumeraudit costs by PCI assessorLOSE THE ABILITY TO PROCESS CREDIT CARDS – CAMPUS WIDEREPUTATIONAL RISK!OPPORTUNITY TO ENHANCE SECURITY/IT BEST PRACTICES(Stacey)So why is this important to us and to you?! Or why should you pay some attention to our presentation todayHelps to ensure our systems are secure and reduces risk of a breach….…if it is discovered that a security breach occurred b/c you were not compliant liability includes:First and foremost the:FINANCIAL RISKfines from payment processor (moneris) and/or credit card companiescosts to notify cardholdersrepayment of fraudulent charges incurred by end consumeraudit costs by PCI assessor – you’ll be under much more scrutinty and be required to have yearly external security audits which can be costlyCould LOSE THE ABILITY TO PROCESS CREDIT CARDS – CAMPUS WIDE – not just the one merchant who caused the problem – affects ALL merchantsREPUTATIONAL RISK!! – won’t be your bookstore or small department running a conference that had a breach and gets mentioned in the media – it will be the University as a whole(NOTE – as told to us when we had a security audit done that we’ll talk about later on – it’s not IF you have a breach it’s WHEN you have a breach – how you deal with it that will minimize the financial liability)
11 Our PCI ‘Approaches’ Western McMaster Central approach to Self Assessment Questionnaires (SAQs).McMasterCentralized management with Individual merchant responsibilities(Stacey)
12 Lessons Learned1: Collaboration of stakeholders is key 2: Identify your PCI Scope and environment 3: Minimize Local Payment Processing 4: Centralized Merchant Approval Process 5: Audit Considerations 6: Don’t underestimate your time 7: Breach Escalation process 8: Centralized approach to PCI DSS Self Assessment Questionnaires 9: Include PCI compliance in the RFP and Purchasing Process 10: Funding: Who Pays for this? 11: It’s a learning Journey 12: Risk Management Strategies(Stacey)Both universities have similar lessons learned, but different approaches. There is no one right way top manage for PCI Compliance.Sharon will explain Westerns lessons on each slide and Tim and I will alternate1: Collaboration of stakeholders is key (SF)2: Identify your PCI Scope and environment (SF)3: Minimize Local Payment Processing (TR)4: Centralized Merchant Approval Process (TR)5: Audit Considerations (TR)6: Don’t underestimate your time (SF)7: Breach Escalation process (SF)8: Centralized approach to PCI DSS Self Assessment Questionnaires (TR)9: Include PCI compliance in the RFP and Purchasing Process (TR)10: Funding: Who Pays for this? (SF)11: It’s a learning Journey (SF)12: Risk Management Strategies (SF)
13 Lesson 1 : Collaboration of Stakeholders is Key Western: Central Bank Card CommitteeFinancial Services, Internal Audit, IT, Campus Department RepresentativesChaired by AVP, Financial ServicesMcMaster: PCI Steering CommitteeFinancial Services, IT, Key Departments, Internal AuditChaired jointly by AVP Administration and CIO(Sharon)Senior management support for the process(Stacey)
14 Lesson 2 : Identify your PCI Scope and Environment WesternPre-RFP Review – Evaluate EnvironmentIT Code ReviewInterviewed all campus departmentsMcMasterHad a PCI GAP analysis completed in 2008Helped us to focus on high risk areas within the 12 requirements – action plan via PCI Steering Committee(Sharon)WESTERNPrior to issuing the RFP we had an assessment done of our environment that identified areas where we needed to implement firewalls, etc that would limit the audit scope.Review of the code of our payment process resulted in the company sharing information that would move our payment processing away from Western. By implementing this process we reduce our PCI scope such that our IT environment becomes ‘out of scope”.(Stacey)
15 Lesson 3 : Minimize Local Payment Processing WesternCampus merchants are required to use Western’s internal Payment PageCurrently migrating to an external Pay Page solutionMcMasterSteer merchants to Hosted Pay Page solutionsPlace compliance on the software vendorsMoving from Type D to A merchants – less risk(Sharon)(Tim)Direct merchants towards a Type A eCommerce solution where possible (Moneris Hostped Payment Page/eSelectPlus)Work with vendors on their PCI compliance and expect that form products: learning curve over last several years. Often difficult with niche (Higher Ed) solutions as the market is small or US based (Moneris is not known to them).
16 Lesson 4 : Centralized Merchant Approval Process WesternNew e-commerce merchants must be approved by Bank Card CommitteePCI Compliance is a requirementMcMasterUpfront Approval Process – new merchants must meet PCI DSS requirement before a merchant number is issuedMerchants can be suspended if not in compliance(Sharon)(Tim)McMasterCentralized payment processorWE NEGOIATED THE CONTRACT WITH ‘PREFERRED’ SUPPLIER, NOT ‘EXCLUSIVE’ WHICH ALLOWED US TO GRANDFATHER SOME OF THE MERCHANTS WHO HAD INTEGRATED SYSTEMS (only 2 left)any new applications come through Financial Services with required sign-off’s and security scans by ITallows us to manage risk by ensuring compliance before activating the merchant #
17 Lesson 5 : Audit Considerations WesternLimited Scope – Lower CostsImportant for Auditor to apply PCI to a University settingConsistency of Auditor keyDemonstration of ComplianceMcMasterPre-audit in 2008 – helped to limit scopeFocus on individual (Type D) merchants(Sharon)WESTERN3-4 day processDocumentation keyCompensating controls re security policy and criminal checks(Tim)
18 Lesson 6 : Don’t Underestimate Your Time WesternSix months became 2+ yearsIT Resources – Significant Impact – DocumentationHave people to help keep on trackMcMasterCommittee commenced work in 2006, still on-goingEducation and clarification of requirements took a long time(Sharon)WESTERN3-4 day processDocumentation key(Tim)
19 Lesson 7 : Breach Escalation Process WesternRequirement of PCI-DSSTook time to get it ‘right’McMasterDeveloping protocols for front-line workers and internal responseEscalating communication plan dependent on nature of the breach(Sharon)(Stacey)Breach – not if but WHEN
20 Western Breach Protocol Perceived BreachTypes of BreachesReceipts compromisedPOS compromisedElectronic Client data compromisedMissing itemsTechnical breachUnauthorized wireless deviceUSERUWO Policex911UWO Financex85432UWO Legalx84217UWO NSO IT SECURITYPOLICE ENGAGECRIMINALINVESTIGATION ANDINFORM NSOIDENTIFY: INFORM ANDCONTAIN, USERASCERTAINS RISK ANDNOTIFIES ACCORDINGLYTRANSACTIONAL ITEMSON STOP OR ALERTMoneris:AFTER RISK ASSESSMENTS ANDVENDOR NOTIFICATION, LEGALIS INFORMED BY IPO IF NECESSARYUWOCommunicationsNSO/CISO ASSESSESDATA RISK ANDCONTAINS, NOTIFIESIPO AND FINANCEMISSING FILES,MACHINE, DATAType 4DEVICE THEFT ORDEVICE TAMPERINGTypes 1, 2, 3, 5LegendIPO – Information Privacy OfficeUWO IT – Western Information TechnologyNSO – Network Security Officer (CISO)CISO – Campus Information Security OfficerMoneris – corporate paymentprocessorFINANCE ASSESSES FINANCIALRISK AND NOTIFIES NSO ONDATA AND VENDORS FORUWO IPOx84541IPO INTERFACES WITH NSO,LEGAL AND COMM IF PRIVACYAT RISKACT FAST!CONTAIN THE DAMAGEPRESERVE EVIDENCEDO NOT ACCESS COMPROMISED SYSTEMITS as initiator(Sharon)
21 Lesson 8 : Centralized Approach to Self Assessment Questionnaires WesternCreated own internal SAQ to be filled out by departmentsFill out SAQ for the university as a whole centrallyMcMasterEach merchant is responsible for filling out PCI SAQSAQ questionnaires now automated through on-line submission3rd party company for both SAQ submission and Quarterly scanning(Sharon)(Tim)MCMASTERRFP for Third-Party Quarterly scanning and online SAQ submission and monitoring processAs required for Level 4 (if requested by payment processor) and required for Level 3Prepares McMaster for Level 3 merchant requirementsProvides better management of the merchant SAQ submissions (over 60 each year)manual follow-up currently required
22 Lesson 9 : Include PCI Compliance in the RFP & Purchasing process WesternPush your knowledge to external partners / vendorsMcMasterSmaller companies weren’t always aware of PCI compliance.Integrated into Policy and Purchasing documents(Sharon)(Tim)
23 Lesson 10 : Funding – Who Pays for This? WesternFunded centrallyMcMasterYearly internal Merchant ‘PCI Levy’Base charge plus volume based charge with capsEssentially covers the cost of 1 FTE in IT and 0.5 in Financial ServicesNow covers cost of 3rd party assessor(Sharon)(Stacey)NOW WE ARE UP TO 2009 AND OUR PROJECT FUNDING FINALLY RAN OUT OUR VOLUMES CONTINUE TO GROW, AND WE STILL NEEDED ADDITIONAL RESEROURCES. AT MAC MOVING TO ACTIVITY BASED BUDGETITING, A MERCHANT VOLUME BASED FEE SEEMED THE MOST LOGICAL. LOTS OF RESISTANCE BUT WE TWEAKED IT, %’S STEPPED IT IN, DELAYED IT, MAXIMUMS FOR BIG MERCHANTS ETCBased on Pre-Assessment recommendations, planned for increased resources to manage PCI.This included the introduction of a PCI Levy:Essentially covers the cost of 1 FTE in UTS and 0.5 FTE in Financial ServicesDesigned to reflect actual setup and operational costs and create incentives to find economies of scaleCloses the resource gaps identified by Trustwave.Fee for all merchantsbase charge (depending on type – higher for ecommerce) $350 BASIC PLUS 1%plus a volume based charge - %of sales, $750 ECCOMERCE PLUS 1% OF SALESa ceiling of $10,000 per year for any one merchant applies.
24 Lesson 11 : It is a Learning Journey WesternPCI Changes – Helps to have ‘experts’McMasterOn-going changes: the risks change therefore the compliance also changesAdapt to new business processesLearning journey for software vendors as well(Sharon)(Stacey)PCI Compliance is a JOURNEY not a DESTINATIONWe’ve walked you through how our journey – and you’ve seen how long it’s taken us to implement our policies and procedures – it does take time and sometimes feels like a moving target but the point here is that you can be compliant one day and not the next – so many different factors (including the standards themselves) that can and will change and evolve over time- AND WE’RE STILL ALL LEARNING AS WE GO – WE’RE DEFINITELY NOT THE ‘EXPERTS’!
25 Lesson 12 : Risk Management Strategies Both Universities:Governance and oversightThird-party assessors and PCI advisorsPro-active compliance by doing more than requiredMigration to Hosted Payment PageRequired annual merchant training(Stacey)
26 What Lies Ahead? Western: McMaster: PCI Security Council Keep ahead of PCI – change approaches as you goMcMaster:Monthly, quarterly and annual activities, based on merchant type.PCI Security CouncilThree year cycle for standard revisionsNow possible for internal auditors to be certified to conduct PCI audits(Sharon)(Tim)
27 References PCI Security Council: University of Western Ontario: https://www.pcisecuritystandards.org/index.shtmlUniversity of Western Ontario:McMaster University:Sharon